Security Intelligence
Loading table of contents...
At a glance: A breach at Klue in June 2026 exposed how a compromised SaaS integration can be used to access multiple Salesforce environments at once. Attackers stole OAuth tokens from Klue’s integration infrastructure and used them to pull CRM data from several organizations, including well‑known cybersecurity vendors. The incident highlights a growing pattern of threats aimed not at Salesforce itself, but at the third‑party connectors that many companies rely on to run their sales operations.
Threat summary
A June 2026 security incident at competitive intelligence platform Klue resulted in unauthorized access to customer data stored in connected third‑party platforms, including Salesforce.
According to Klue’s public statement and independent reporting, the intrusion was detected on June 12 after an unauthorized actor gained access to Klue’s integration infrastructure via compromised legacy credential.
Klue’s official statement says the attacker gained access using a compromised legacy credential associated with an integration service. Using this access, the attacker obtained OAuth tokens that Klue customers had authorized for integrations with third-party platforms, including Salesforce.
These tokens were then used to access data within several connected customer environments. Klue stated that the incident was limited to these third-party platforms and that there is no evidence customer content stored within the Klue platform itself was affected.
Klue responded by revoking affected credentials and tokens, removing unauthorized code, disabling potentially impacted integrations, notifying law enforcement, and engaging a cybersecurity vendor to support the investigation. The company has been communicating directly with affected customers and is reviewing its security controls, credential management practices, monitoring capabilities, and deployment processes.
The breach has had a notable effect on the cybersecurity sector, with several prominent security vendors confirming that their Salesforce environments were accessed using OAuth tokens stolen from Klue’s integration infrastructure. According to public disclosures, affected organizations include Recorded Future, Tanium, Jamf, Huntress, and others. These companies reported exposure of CRM-related data.
The Icarus hacking group has claimed responsibility for the attack, posting samples of the stolen Salesforce data on its leak site. While Klue has not formally attributed the breach to any specific actor, Icarus’ claim is the only public attribution associated with the incident, and several affected organizations have acknowledged that the data posted by the group matches what was taken from their environments. At this stage, the attribution remains based solely on Icarus’ public statements and the data they released, with no independent confirmation.
Analysis
Threat actors are increasingly targeting software-as-a-service (SaaS) integrations that organizations rely on. In the Salesforce ecosystem, these integrations often have wide-ranging API permissions and long-lived OAuth tokens, making them an attractive target.
When a single integration provider is compromised, the adversary inherits the trust and access that customers have already granted, turning one breach into multiple compromises. The fact that several cybersecurity companies were caught up in this incident shows how even mature security programs can be exposed when a trusted connector becomes the weak link.
Salesforce emphasized that the issue was isolated to the Klue integration and did not involve any vulnerability in the Salesforce platform itself, a distinction that mirrors other recent incidents where the platform remained secure, but connected apps became the attack surface.
The data reported accessed in this case involved CRM records available through the compromised integrations. Affected organizations reported exposure of business contact information, subscription or product-related details, and sales or marketing communications, data commonly synchronized between Salesforce and third-party tools.
Mitigations
Reducing the risk of similar incidents requires more than rotating passwords. Organizations should regularly audit all integrations connected to Salesforce and other SaaS platforms, removing those that are no longer needed and disabling legacy credentials that may still be active behind the scenes.
OAuth tokens tied to high-risk or impacted integrations should be revoked and reissued, and integrations should be restricted to the minimum permissions required for their function.
Monitoring Salesforce API activity for unusual patterns, such as unexpected query spikes or access from unfamiliar infrastructure, can help surface misuse early.
Shorter token lifetimes and periodic reauthorization requirements add another layer of protection, limiting how long an attacker can operate if a token is ever compromised.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
